CVE-2026-2004
Arbitrary Code Execution via Input Validation Flaw in PostgreSQL intarray
Publication date: 2026-02-12
Last updated on: 2026-02-20
Assigner: PostgreSQL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| postgresql | postgresql | From 18.0 (inc) to 18.2 (exc) |
| postgresql | postgresql | From 14.0 (inc) to 14.21 (exc) |
| postgresql | postgresql | From 15.0 (inc) to 15.16 (exc) |
| postgresql | postgresql | From 16.0 (inc) to 16.12 (exc) |
| postgresql | postgresql | From 17.0 (inc) to 17.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2004 is a security vulnerability in the PostgreSQL intarray extension, specifically in the selectivity estimator function.
The issue is caused by missing validation of the input type to this function, which allows an attacker who can create objects in the database to execute arbitrary code.
This arbitrary code execution happens with the privileges of the operating system user running the PostgreSQL server.
The vulnerability affects PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have a severe impact because it allows an attacker with the ability to create database objects to execute arbitrary code on the server.'}, {'type': 'paragraph', 'content': "The code execution occurs with the operating system user's privileges running the PostgreSQL server, potentially leading to full system compromise."}, {'type': 'paragraph', 'content': 'The CVSS score of 8.8 indicates high severity, with high impact on confidentiality, integrity, and availability of the system.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, you should upgrade your PostgreSQL installation to one of the fixed versions: 18.2, 17.8, 16.12, 15.16, or 14.21 or later.'}, {'type': 'paragraph', 'content': "Applying the official patches released by the PostgreSQL project on February 12, 2026, will address the missing input type validation in the intarray extension's selectivity estimator function and prevent arbitrary code execution."}] [1]